Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

New CryptXXX Can Evade Detection, Outsmart Decryption Tools

Crooks behind the fast spreading CryptXXX ransomware updated the latest variant with better encryption technology and new methods to evade detection by researchers. This latest version of CryptXXX was spotted by researchers at SentinelOne that say the new updated sample has already earned ransomers approximately

The new version of the CryptXXX ransomware is spreading primarily through spam, said Caleb Fenton, senior security researcher at SentinelOne, in a technical description of the find posted Monday.

CryptXXX has been a fast and moving target for researchers, considered by some to be “hot new kid on the block” when it comes to ransomware – even nipping at the heels of the notorious Locky ransomware when it comes to infection rates and distribution. In May cybercriminals released an updated CryptXXX 3.100 version of the ransomware that includes a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.

Now, SentinelOne reports, cybercriminals have updated CryptXXX again, tweaking the encryption engine further to prevent free un-specified decryption tools from working. According to a Kaspersky Lab support page, the RannohDecryptor utility worked on numerous updated versions of the CryptXXX ransomware. However in late May, with the 3.100 release of CryptXXX, the RannohDecryptor was no longer able to decrypt files from the 3.100 version of the ransomware, but is still effective for early versions of the ransomware.

This new CryptXXX variant, found by SentinelOne, also packs a new evasive tricks such as masking the ransomware payload inside a DLL that appears to be a legitimate DLL for the video editing software CyberLink PowerDVD Cinema. “A quick check of the malicious DLL’s properties reveals it’s using what appears to be the details of a legitimate DLL named _BigBang.dll,” Fenton wrote.

Upon closer inspection, however, Fenton notes that while the _BigBang.dll shares the exact same DLL properties the code cleverly masks the ransomware payload. “The unpacking happens by allocating memory for the encrypted payload with VirtualAlloc and then copying over the encrypted bytes,” Fenton reports. He notes, even when the DLL is unpacked its contents still “look mostly benign,” Fenton said.

Looking a little harder, Fenton noted there were telltale signs of ransomware that raised researcher eyebrows. “The list of exports is unusually large for a program with seemingly no actual legitimate functionality,” he wrote. “Further, the imports and exports are completely different from those of the legitimate _BigBang.dll. It may be safely assumed these functions are present to thwart analysis.”

Next, the malicious DLL runs through a decryption and decompress routine. Eventually, the unpacker determines the location of the Windows’ Startup folder by querying the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup” and an unpacked code places an HTML ransom note which is opened whenever the computer is started to ensure the victim knows how to recover their files, according the technical description.

“The analyzed sample was originally executed from a Windows shortcut (.lnk file). The shortcut points to rundll32.exe F0F3.tmp.dll,MSX3,” Fenton describes. Arguments for rundll32.exe will load F0F3.tmp.dll and then execute the MSX3 function. “Shortly after the MSX3 address is retrieved, execution jumps to that address and the file encryption and ransom behavior begins.”

SetinelOne says files are encrypted using a combination of RSA and RC4 with the a file extension of .cryp1, as opposed to earlier versions of CryptXXX that used .crypz and .crypt. Ransom payment analysis shows the Bitcoin address behind the ransomware has received 70 bitcoins between June 4 and June 21 with the average payout of 1.3 bitcoin ($766) from approximately 60 individuals or organizations.

Discussion

Hi ThreatPost. Small correction to the last line - the payout appears to be 1.2 BTC, not 1.3. You can view their blockchain history here: https://blockchain.info/address/18e372GNwjGG5SYeHucuD1yLEWh7a6dWf1

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.